8 files changed, 113 insertions, 105 deletions
diff --git a/lib/ssl/src/ssl.appup.src b/lib/ssl/src/ssl.appup.src
index 29674f30da..1b07e76d6a 100644
--- a/lib/ssl/src/ssl.appup.src
+++ b/lib/ssl/src/ssl.appup.src
@@ -1,6 +1,7 @@
 %% -*- erlang -*-
 {"%VSN%",
  [
+  {"4.1.6", [{restart_application, ssl}]},
   {"4.1.5", [{restart_application, ssl}]},
   {"4.1.4", [{restart_application, ssl}]},
   {"4.1.3", [{restart_application, ssl}]},
@@ -10,6 +11,7 @@
   {"4.0.1", [{restart_application, ssl}]}
  ], 
  [
+  {"4.1.6", [{restart_application, ssl}]},
   {"4.1.5", [{restart_application, ssl}]},
   {"4.1.4", [{restart_application, ssl}]},
   {"4.1.3", [{restart_application, ssl}]},
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index 35f9410562..d0693445e0 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -608,8 +608,11 @@ validate_option(certfile, Value) when Value == undefined; is_list(Value) ->
 validate_option(key, undefined) ->
     undefined;
 validate_option(key, {KeyType, Value}) when is_binary(Value),
-					    KeyType == rsa;
-					    KeyType == dsa ->
+					    KeyType == rsa; %% Backwards compatibility
+					    KeyType == dsa; %% Backwards compatibility
+					    KeyType == 'RSAPrivateKey';
+					    KeyType == 'DSAPrivateKey';
+					    KeyType == 'PrivateKeyInfo' ->
     {KeyType, Value};
 validate_option(keyfile, Value) when is_list(Value) ->
     Value;
diff --git a/lib/ssl/src/ssl_certificate.erl b/lib/ssl/src/ssl_certificate.erl
index 422ea6404b..61876e1158 100644
--- a/lib/ssl/src/ssl_certificate.erl
+++ b/lib/ssl/src/ssl_certificate.erl
@@ -66,7 +66,7 @@ trusted_cert_and_path(CertChain, CertDbHandle, CertDbRef) ->
 		    {ok, IssuerId} ->
 			{other, IssuerId};
 		    {error, issuer_not_found} ->
-			case find_issuer(OtpCert, no_candidate, CertDbHandle) of
+			case find_issuer(OtpCert, CertDbHandle) of
 			    {ok, IssuerId} ->
 				{other, IssuerId};
 			    Other ->
@@ -193,7 +193,7 @@ certificate_chain(OtpCert, _Cert, CertDbHandle, CertsDbRef, Chain) ->
 	{_, true = SelfSigned} ->
 	    certificate_chain(CertDbHandle, CertsDbRef, Chain, ignore, ignore, SelfSigned);
 	{{error, issuer_not_found}, SelfSigned} ->
-	    case find_issuer(OtpCert, no_candidate, CertDbHandle) of
+	    case find_issuer(OtpCert, CertDbHandle) of
 		{ok, {SerialNr, Issuer}} ->
 		    certificate_chain(CertDbHandle, CertsDbRef, Chain,
 				      SerialNr, Issuer, SelfSigned);
@@ -227,17 +227,24 @@ certificate_chain(CertDbHandle, CertsDbRef, Chain, SerialNr, Issuer, _SelfSigned
 	    {ok, lists:reverse(Chain)}		      
     end.
 
-find_issuer(OtpCert, PrevCandidateKey, CertDbHandle) ->
-    case ssl_manager:issuer_candidate(PrevCandidateKey, CertDbHandle) of
- 	no_more_candidates ->
- 	    {error, issuer_not_found};
- 	{Key, {_Cert, ErlCertCandidate}} ->
-	    case public_key:pkix_is_issuer(OtpCert, ErlCertCandidate) of
-		true ->
-		    public_key:pkix_issuer_id(ErlCertCandidate, self);
-		false ->
-		    find_issuer(OtpCert, Key, CertDbHandle)
-	    end
+find_issuer(OtpCert, CertDbHandle) ->
+    IsIssuerFun = fun({_Key, {_Der, #'OTPCertificate'{} = ErlCertCandidate}}, Acc) ->
+			  case public_key:pkix_is_issuer(OtpCert, ErlCertCandidate) of
+			      true ->
+				  throw(public_key:pkix_issuer_id(ErlCertCandidate, self));
+			      false ->
+				  Acc
+			  end;
+		     (_, Acc) ->
+			  Acc
+		  end,
+
+    try ssl_certificate_db:foldl(IsIssuerFun, issuer_not_found, CertDbHandle) of
+	issuer_not_found ->
+	    {error, issuer_not_found}
+    catch 
+	{ok, _IssuerId} = Return ->
+	    Return
     end.
 
 is_valid_extkey_usage(KeyUse, client) ->
diff --git a/lib/ssl/src/ssl_certificate_db.erl b/lib/ssl/src/ssl_certificate_db.erl
index 0560a02110..cb2473576a 100644
--- a/lib/ssl/src/ssl_certificate_db.erl
+++ b/lib/ssl/src/ssl_certificate_db.erl
@@ -26,7 +26,7 @@
 -include_lib("public_key/include/public_key.hrl").
 
 -export([create/0, remove/1, add_trusted_certs/3, 
-	 remove_trusted_certs/2, lookup_trusted_cert/4, issuer_candidate/2,
+	 remove_trusted_certs/2, lookup_trusted_cert/4, foldl/3, 
 	 lookup_cached_certs/2, cache_pem_file/4, uncache_pem_file/2, lookup/2]).
 
 -type time()      :: {non_neg_integer(), non_neg_integer(), non_neg_integer()}.
@@ -127,8 +127,6 @@ uncache_pem_file(File, [_CertsDb, _FileToRefDb, PidToFileDb]) ->
 			  exit(Pid, shutdown)
 		  end, Pids).
 
-
-
 %%--------------------------------------------------------------------
 -spec remove_trusted_certs(pid(), [db_handle()]) -> term().
 				  
@@ -161,37 +159,6 @@ remove_trusted_certs(Pid, [CertsDb, FileToRefDb, PidToFileDb]) ->
     end.
 
 %%--------------------------------------------------------------------
--spec issuer_candidate(no_candidate | cert_key() | {file, term()}, term()) ->
-			      {cert_key(),{der_cert(), #'OTPCertificate'{}}} | no_more_candidates.
-%%
-%% Description: If a certificat does not define its issuer through
-%%              the extension 'ce-authorityKeyIdentifier' we can
-%%              try to find the issuer in the database over known
-%%              certificates. 
-%%--------------------------------------------------------------------
-issuer_candidate(no_candidate, Db) ->
-    case ets:first(Db) of
- 	'$end_of_table' ->
- 	    no_more_candidates;
-	{file, _} = Key ->
-	    issuer_candidate(Key, Db);
- 	Key ->
-	    [Cert] = lookup(Key, Db),
- 	    {Key, Cert}
-    end;
-
-issuer_candidate(PrevCandidateKey, Db) ->
-    case ets:next(Db, PrevCandidateKey) of
- 	'$end_of_table' ->
- 	    no_more_candidates;
-	{file, _} = Key ->
-	    issuer_candidate(Key, Db);
- 	Key ->
-	    [Cert] = lookup(Key, Db),
- 	    {Key, Cert}
-    end.
-
-%%--------------------------------------------------------------------
 -spec lookup(term(), db_handle()) -> term() | undefined.
 %%
 %% Description: Looks up an element in a certificat <Db>.
@@ -206,7 +173,18 @@ lookup(Key, Db) ->
 		   end,
 	    [Pick(Data) || Data <- Contents]
     end.
-
+%%--------------------------------------------------------------------
+-spec foldl(fun(), term(), db_handle()) -> term().
+%%
+%% Description: Calls Fun(Elem, AccIn) on successive elements of the
+%% cache, starting with AccIn == Acc0. Fun/2 must return a new
+%% accumulator which is passed to the next call. The function returns
+%% the final value of the accumulator. Acc0 is returned if the certifate
+%% db is empty.
+%%--------------------------------------------------------------------
+foldl(Fun, Acc0, Cache) ->
+    ets:foldl(Fun, Acc0, Cache).
+  
 %%--------------------------------------------------------------------
 %%% Internal functions
 %%--------------------------------------------------------------------
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index c772697f1d..0c44d3ae90 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -303,12 +303,13 @@ init([Role, Host, Port, Socket, {SSLOpts0, _} = Options,
       User, CbInfo]) ->
     State0 = initial_state(Role, Host, Port, Socket, Options, User, CbInfo),
     Hashes0 = ssl_handshake:init_hashes(),    
-
+    TimeStamp = calendar:datetime_to_gregorian_seconds({date(), time()}),
     try ssl_init(SSLOpts0, Role) of
 	{ok, Ref, CertDbHandle, CacheHandle, OwnCert, Key, DHParams} ->
 	    Session = State0#state.session,
 	    State = State0#state{tls_handshake_hashes = Hashes0,
-				 session = Session#session{own_certificate = OwnCert},
+				 session = Session#session{own_certificate = OwnCert,
+							   time_stamp = TimeStamp},
 				 cert_db_ref = Ref,
 				 cert_db = CertDbHandle,
 				 session_cache = CacheHandle,
@@ -351,8 +352,7 @@ hello(start, #state{host = Host, port = Port, role = client,
     State1 = State0#state{connection_states = CS2,
 			 negotiated_version = Version, %% Requested version
 			  session =
-			      Session0#session{session_id = Hello#client_hello.session_id,
-					       is_resumable = false},
+			      Session0#session{session_id = Hello#client_hello.session_id},
 			  tls_handshake_hashes = Hashes1},
     {Record, State} = next_record(State1),
     next_state(hello, Record, State);
@@ -1126,18 +1126,38 @@ init_private_key(DbHandle, undefined, KeyFile, Password, _) ->
 	{ok, List} = ssl_manager:cache_pem_file(KeyFile, DbHandle),
 	[PemEntry] = [PemEntry || PemEntry = {PKey, _ , _} <- List,
 				  PKey =:= 'RSAPrivateKey' orelse
-				      PKey =:= 'DSAPrivateKey'],
-	public_key:pem_entry_decode(PemEntry, Password)
+				      PKey =:= 'DSAPrivateKey' orelse
+				      PKey =:= 'PrivateKeyInfo'
+		     ],
+	private_key(public_key:pem_entry_decode(PemEntry, Password))
     catch 
 	Error:Reason ->
 	    handle_file_error(?LINE, Error, Reason, KeyFile, ekeyfile,
 			      erlang:get_stacktrace()) 
     end;
 
+%% First two clauses are for backwards compatibility
 init_private_key(_,{rsa, PrivateKey}, _, _,_) ->
-    public_key:der_decode('RSAPrivateKey', PrivateKey);
+    init_private_key('RSAPrivateKey', PrivateKey);
 init_private_key(_,{dsa, PrivateKey},_,_,_) ->
-    public_key:der_decode('DSAPrivateKey', PrivateKey).
+    init_private_key('DSAPrivateKey', PrivateKey);
+init_private_key(_,{Asn1Type, PrivateKey},_,_,_) ->
+    private_key(init_private_key(Asn1Type, PrivateKey)).
+
+init_private_key(Asn1Type, PrivateKey) ->
+    public_key:der_decode(Asn1Type, PrivateKey).
+
+private_key(#'PrivateKeyInfo'{privateKeyAlgorithm =
+				 #'PrivateKeyInfo_privateKeyAlgorithm'{algorithm = ?'rsaEncryption'},
+			     privateKey = Key}) ->
+    public_key:der_decode('RSAPrivateKey', iolist_to_binary(Key));
+
+private_key(#'PrivateKeyInfo'{privateKeyAlgorithm =
+				 #'PrivateKeyInfo_privateKeyAlgorithm'{algorithm = ?'id-dsa'},
+			     privateKey = Key}) ->
+    public_key:der_decode('DSAPrivateKey', iolist_to_binary(Key));
+private_key(Key) ->
+    Key.
 
 -spec(handle_file_error(_,_,_,_,_,_) -> no_return()).
 handle_file_error(Line, Error, {badmatch, Reason}, File, Throw, Stack) ->
@@ -1987,16 +2007,16 @@ next_state_is_connection(State0) ->
 					       public_key_info = undefined,
 					       tls_handshake_hashes = {<<>>, <<>>}}).
 
-register_session(_, _, _, #session{is_resumable = true} = Session) ->
-    Session; %% Already registered
-register_session(client, Host, Port, Session0) ->
+register_session(client, Host, Port, #session{is_resumable = new} = Session0) ->
     Session = Session0#session{is_resumable = true},
     ssl_manager:register_session(Host, Port, Session),
     Session;
-register_session(server, _, Port, Session0) ->
+register_session(server, _, Port, #session{is_resumable = new} = Session0) ->
     Session = Session0#session{is_resumable = true},
     ssl_manager:register_session(Port, Session),
-    Session.
+    Session;
+register_session(_, _, _, Session) ->
+    Session. %% Already registered
 
 invalidate_session(client, Host, Port, Session) ->
     ssl_manager:invalidate_session(Host, Port, Session);
@@ -2020,7 +2040,7 @@ initial_state(Role, Host, Port, Socket, {SSLOptions, SocketOptions}, User,
 	   %% We do not want to save the password in the state so that
 	   %% could be written in the clear into error logs.
 	   ssl_options = SSLOptions#ssl_options{password = undefined},	   
-	   session = #session{is_resumable = false},
+	   session = #session{is_resumable = new},
 	   transport_cb = CbModule,
 	   data_tag = DataTag,
 	   close_tag = CloseTag,
diff --git a/lib/ssl/src/ssl_handshake.erl b/lib/ssl/src/ssl_handshake.erl
index f873a6a913..7eb7f44df6 100644
--- a/lib/ssl/src/ssl_handshake.erl
+++ b/lib/ssl/src/ssl_handshake.erl
@@ -1092,18 +1092,12 @@ certificate_authorities(CertDbHandle, CertDbRef) ->
     list_to_binary([Enc(Cert) || {_, Cert} <- Authorities]).
 
 certificate_authorities_from_db(CertDbHandle, CertDbRef) ->
-    certificate_authorities_from_db(CertDbHandle, CertDbRef, no_candidate, []).
-
-certificate_authorities_from_db(CertDbHandle,CertDbRef, PrevKey, Acc) ->
-    case ssl_manager:issuer_candidate(PrevKey, CertDbHandle) of
-	no_more_candidates ->
-	    lists:reverse(Acc);
-	{{CertDbRef, _, _} = Key, Cert} ->
-	    certificate_authorities_from_db(CertDbHandle, CertDbRef, Key, [Cert|Acc]);
-	{Key, _Cert} ->
-	    %% skip certs not from this ssl connection
-	    certificate_authorities_from_db(CertDbHandle, CertDbRef, Key, Acc)
-    end.
+    ConnectionCerts = fun({{Ref, _, _}, Cert}, Acc) when Ref  == CertDbRef ->
+			      [Cert | Acc];
+			 (_, Acc) ->
+			      Acc
+		      end,	
+    ssl_certificate_db:foldl(ConnectionCerts, [], CertDbHandle).
 
 digitally_signed(Hash, #'RSAPrivateKey'{} = Key) ->
     public_key:encrypt_private(Hash, Key,
diff --git a/lib/ssl/src/ssl_manager.erl b/lib/ssl/src/ssl_manager.erl
index dcf310c535..6a44ef8c3e 100644
--- a/lib/ssl/src/ssl_manager.erl
+++ b/lib/ssl/src/ssl_manager.erl
@@ -29,8 +29,8 @@
 %% Internal application API
 -export([start_link/1, start_link_dist/1,
 	 connection_init/2, cache_pem_file/2,
-	 lookup_trusted_cert/4, issuer_candidate/2, client_session_id/4,
-	 server_session_id/4,
+	 lookup_trusted_cert/4,
+	 client_session_id/4, server_session_id/4,
 	 register_session/2, register_session/3, invalidate_session/2,
 	 invalidate_session/3]).
 
@@ -112,16 +112,7 @@ cache_pem_file(File, DbHandle) ->
 %% --------------------------------------------------------------------
 lookup_trusted_cert(DbHandle, Ref, SerialNumber, Issuer) ->
     ssl_certificate_db:lookup_trusted_cert(DbHandle, Ref, SerialNumber, Issuer).
-%%--------------------------------------------------------------------
--spec issuer_candidate(cert_key() | no_candidate, term()) ->
-			      {cert_key(),
-			       {der_cert(),
-				#'OTPCertificate'{}}} | no_more_candidates.
-%%
-%% Description: Return next issuer candidate.
-%%--------------------------------------------------------------------
-issuer_candidate(PrevCandidateKey, DbHandle) ->
-    ssl_certificate_db:issuer_candidate(PrevCandidateKey, DbHandle).
+
 %%--------------------------------------------------------------------
 -spec client_session_id(host(), inet:port_number(), #ssl_options{},
 			der_cert() | undefined) -> session_id().
@@ -278,25 +269,16 @@ handle_cast({register_session, Port, Session},
     CacheCb:update(Cache, {Port, NewSession#session.session_id}, NewSession),
     {noreply, State};
 
-%%% When a session is invalidated we need to wait a while before deleting
-%%% it as there might be pending connections that rightfully needs to look
-%%% up the session data but new connections should not get to use this session.
 handle_cast({invalidate_session, Host, Port,
 	     #session{session_id = ID} = Session},
 	    #state{session_cache = Cache,
 		   session_cache_cb = CacheCb} = State) ->
-    CacheCb:update(Cache, {{Host, Port}, ID}, Session#session{is_resumable = false}),
-    TRef =
-	erlang:send_after(delay_time(), self(), {delayed_clean_session, {{Host, Port}, ID}}),
-    {noreply, State#state{last_delay_timer = TRef}};
+    invalidate_session(Cache, CacheCb, {{Host, Port}, ID}, Session, State);
 
 handle_cast({invalidate_session, Port, #session{session_id = ID} = Session},
 	    #state{session_cache = Cache,
 		   session_cache_cb = CacheCb} = State) ->
-    CacheCb:update(Cache, {Port, ID}, Session#session{is_resumable = false}),
-    TRef =
-	erlang:send_after(delay_time(), self(), {delayed_clean_session, {Port, ID}}),
-    {noreply, State#state{last_delay_timer = TRef}};
+    invalidate_session(Cache, CacheCb, {Port, ID}, Session, State);
 
 handle_cast({recache_pem, File, LastWrite, Pid, From},
 	    #state{certificate_db = [_, FileToRefDb, _]} = State0) ->
@@ -320,7 +302,7 @@ handle_cast({recache_pem, File, LastWrite, Pid, From},
 %%				      {stop, reason(), #state{}}.
 %%
 %% Description: Handling all non call/cast messages
-%%-------------------------------------------------------------------- 
+%%-------------------------------------------------------------------
 handle_info(validate_sessions, #state{session_cache_cb = CacheCb,
 				      session_cache = Cache,
 				      session_lifetime = LifeTime
@@ -444,3 +426,20 @@ delay_time() ->
 	_ ->
 	   ?CLEAN_SESSION_DB
     end.
+
+invalidate_session(Cache, CacheCb, Key, Session, State) ->
+    case CacheCb:lookup(Cache, Key) of
+	undefined -> %% Session is already invalidated
+	    {noreply, State};
+	#session{is_resumable = new} ->
+	    CacheCb:delete(Cache, Key),
+	    {noreply, State};
+	_ ->
+	    %% When a registered session is invalidated we need to wait a while before deleting
+	    %% it as there might be pending connections that rightfully needs to look
+	    %% up the session data but new connections should not get to use this session.
+	    CacheCb:update(Cache, Key, Session#session{is_resumable = false}),
+	    TRef =
+		erlang:send_after(delay_time(), self(), {delayed_clean_session, Key}),
+	    {noreply, State#state{last_delay_timer = TRef}}
+    end.
diff --git a/lib/ssl/src/ssl_session.erl b/lib/ssl/src/ssl_session.erl
index bf738649f6..df5d7e0146 100644
--- a/lib/ssl/src/ssl_session.erl
+++ b/lib/ssl/src/ssl_session.erl
@@ -103,9 +103,9 @@ select_session([], _, _) ->
 
 select_session(Sessions, #ssl_options{ciphers = Ciphers,
 				      reuse_sessions = ReuseSession}, OwnCert) ->
-    IsResumable = 
- 	fun(Session) -> 
- 		ReuseSession andalso (Session#session.is_resumable) andalso  
+    IsResumable =
+	fun(Session) ->
+		ReuseSession andalso resumable(Session#session.is_resumable) andalso
  		    lists:member(Session#session.cipher_suite, Ciphers)
 		    andalso (OwnCert == Session#session.own_certificate)
  	end,
@@ -147,10 +147,10 @@ is_resumable(SuggestedSessionId, Port, ReuseEnabled, ReuseFun, Cache,
 	#session{cipher_suite = CipherSuite,
 		 own_certificate = SessionOwnCert,
 		 compression_method = Compression,
-		 is_resumable = Is_resumable,
+		 is_resumable = IsResumable,
 		 peer_certificate = PeerCert} = Session ->
 	    ReuseEnabled 
-		andalso Is_resumable  
+		andalso resumable(IsResumable)
 		andalso (OwnCert == SessionOwnCert)
 		andalso valid_session(Session, SecondLifeTime) 
 		andalso ReuseFun(SuggestedSessionId, PeerCert, 
@@ -158,3 +158,8 @@ is_resumable(SuggestedSessionId, Port, ReuseEnabled, ReuseFun, Cache,
 	undefined ->
 	    false
     end.
+
+resumable(new) ->
+    false;
+resumable(IsResumable) ->
+    IsResumable.